<p>Android applications can receive broadcasts from the system or other applications. Receiving intents is security-sensitive. For example, it has led
in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2019-1677">CVE-2019-1677</a> </li>
  <li> <a href="https://www.cve.org/CVERecord?id=CVE-2015-1275">CVE-2015-1275</a> </li>
</ul>
<p>Receivers can be declared in the manifest or in the code to make them context-specific. If the receiver is declared in the manifest Android will
start the application if it is not already running once a matching broadcast is received. The receiver is an entry point into the application.</p>
<p>Other applications can send potentially malicious broadcasts, so it is important to consider broadcasts as untrusted and to limit the applications
that can send broadcasts to the receiver.</p>
<p>Permissions can be specified to restrict broadcasts to authorized applications. Restrictions can be enforced by both the sender and receiver of a
broadcast. If permissions are specified when registering a broadcast receiver, then only broadcasters who were granted this permission can send a
message to the receiver.</p>
<p>This rule raises an issue when a receiver is registered without specifying any broadcast permission.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The data extracted from intents is not sanitized. </li>
  <li> Intents broadcast is not restricted. </li>
</ul>
<p>There is a risk if you answered yes to any of those questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>Restrict the access to broadcasted intents. See the <a
href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> for more
information.</p>
<h2>Sensitive Code Example</h2>
<pre>
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;

public class MyIntentReceiver {

    @RequiresApi(api = Build.VERSION_CODES.O)
    public void register(Context context, BroadcastReceiver receiver,
                         IntentFilter filter,
                         String broadcastPermission,
                         Handler scheduler,
                         int flags) {
        context.registerReceiver(receiver, filter); // Sensitive
        context.registerReceiver(receiver, filter, flags); // Sensitive

        // Broadcasting intent with "null" for broadcastPermission
        context.registerReceiver(receiver, filter, null, scheduler); // Sensitive
        context.registerReceiver(receiver, filter, null, scheduler, flags); // Sensitive
    }
}
</pre>
<h2>Compliant Solution</h2>
<pre>
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.IntentFilter;
import android.os.Build;
import android.os.Handler;
import android.support.annotation.RequiresApi;

public class MyIntentReceiver {

    @RequiresApi(api = Build.VERSION_CODES.O)
    public void register(Context context, BroadcastReceiver receiver,
                         IntentFilter filter,
                         String broadcastPermission,
                         Handler scheduler,
                         int flags) {

        context.registerReceiver(receiver, filter, broadcastPermission, scheduler);
        context.registerReceiver(receiver, filter, broadcastPermission, scheduler, flags);
    }
}
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://mas.owasp.org/checklists/MASVS-PLATFORM/">Mobile AppSec Verification Standard - Platform Interaction Requirements</a>
  </li>
  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage">Mobile Top 10 2016 Category M1 - Improper
  Platform Usage</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m3-insecure-authentication-authorization">Mobile Top 10 2024 Category
  M3 - Insecure Authentication/Authorization</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-mobile-top-10/2023-risks/m4-insufficient-input-output-validation">Mobile Top 10 2024 Category M4
  - Insufficient Input/Output Validation</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/925">CWE-925 - Improper Verification of Intent by Broadcast Receiver</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/926">CWE-926 - Improper Export of Android Application Components</a> </li>
  <li> <a href="https://developer.android.com/guide/components/broadcasts.html#restricting_broadcasts_with_permissions">Android documentation</a> -
  Broadcast Overview - Security considerations and best practices </li>
</ul>

